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Malvertising and online fraud through forced redirects and Trojanized apps— to cite the two most common 
examples—are increasingly plaguing Android users. In many cases, this is made worse by the fact that people 
often don’t use web filtering or security applications on their mobile devices. 

A particular group is seizing this opportunity to deliver one of the most lucrative payloads at the moment: drive- 
by cryptomining for the Monero (XMR) currency. In a campaign we first observed in late January, but which 
appears to have started at least around November 2017, millions of mobile users (we believe Android devices are 
targeted) have been redirected to a specifically designed page performing in-browser cryptomining. 

In our previous research on drive-by mining, we defined this technique as automated, without user consent, and 
mostly silent (apart from the noise coming out of the victim’s computer fan when their CPU is clocked at 100 
percent). Here, however, visitors are presented with a CAPTCHA to solve in order to prove that they aren’t bots, 
but rather real humans. 


https://blog.malwarebytes.com/threat-analysis/2018/02/drive-by-cryptomining-campaign-attracts-millions-of-android-users/ 


1/12 








3/5/2018 


Drive-by cryptomining campaign targets millions of Android users - Malwarebytes Labs | Malwarebytes Labs 



“Your device is showing suspicious surfing behaviour. Please prove that 
you are human by solving the captcha.” 


Until the code (w3FaS05R) is entered and you press the Continue button, your phone or tablet will be mining 
Monero at full speed, maxing out the device’s processor. 

Redirection mechanism 

The discovery came while we were investigating a separate malware campaign dubbed EITest in late January. We 
were testing various malvertising chains that often lead to tech support scams with an Internet Explorer or 
Chrome user-agent on Windows. However, when we switched to an Android, we were redirected via a series of 
hops to that cryptomining page. 
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It seems odd that a static code (which is also hardcoded in the page’s source) would efficiently validate traffic 
between human and bot. Similarly, upon clicking the Continue button, users are redirected to the Google home 
page, another odd choice for having proved you were not a robot. 

While Android users may be redirected from regular browsing, we believe that infected apps containing ad 
modules are loading similar chains leading to this cryptomining page. This is unfortunately common in the 
Android ecosystem, especially with so-called “free” apps. 

It’s possible that this particular campaign is going after low quality traffic—but not necessarily bots —and rather 
than serving typical ads that might be wasted, they chose to make a profit using a browser-based Monero miner. 

We identified several identical domains all using the same CAPTCHA code, and yet having different Coinhive site 
keys (see our indicators of compromise for the full details). The first one was registered in late November 2017, 
and new domains have been created since then, always with the same template. 
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Traffic stats 

We believe there are several more domains than just the few that we caught, but even this small subset is 
enough to give us an idea of the scope behind this campaign. We shared two of the most active sites with ad 
fraud researcher Dr. Augustine Fou, who ran some stats via the SimilarWeb web analytics service. This confirmed 
our suspicions that the majority of traffic came via mobile and spiked in January. 
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It is difficult to determine how much Monero currency this operation is currently yielding without knowing how 
many other domains (and therefore total traffic) are out there. Because of the low hash rate and the limited time 
spent mining, we estimate this scheme is probably only netting a few thousand dollars each month. However, as 
cryptocurrencies continue to gain value, this amount could easily be multiplied a few times over. 

Conclusion 

The threat landscape has changed dramatically over the past few months, with many actors jumping on the 
cryptocurrency bandwagon. Malware-based miners, as well as their web-based counterparts, are booming and 
offering online criminals new revenue sources. 

Forced cryptomining is now also affecting mobile phones and tablets en masse—not only via Trojanized apps, 
but also via redirects and pop-unders. While these platforms are less powerful than their Desktop counterparts, 
there is also a greater number of them out there. Similar to what we see with loT devices, it’s not always the 
individual specifications, but rather the power of the collective group altogether that matters. 

We strongly advise users to run the same security tools they have on their PC on their mobile devices, because 
unwanted cryptomining is not only a nuisance but can also cause permanent damage. 

Malwarebytes mobile users are protected against this threat. 

Indicators of compromise 

Domains: 


rcyclmnr[].com 
rcylpd[.]com 
recycloped[.]com 
rcyclmnrhgntry[,]com 
rcyclmnrprd[.]com 
rcyclmnrepv[.]com 


Referring websites (please note that they should not be necessarily considered malicious): 


panelsave[.]com 
offerreality[.]com 
thewise[.]com 
go. bestmobiworld[.]com 
questionfly[.]com 
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How Google could stop most of this: 

Treat them as malware, 

and include known miners in the Safe Browsing block lists that are built-in on Chrome and 
Firefox. 

Known miners will be blocked by default, without having to rely on browser extensions. 


And Google will go nuclear on the miners for one simple reason: 

Each site that turns to mining, is one less site dependent on advertising (Google's main 
revenue source). Mining is a clear threat to Google. 

'Crypto-currency' is quickly become another type of malware. That's their reputation now. 
Monero is just another entry in the virus databases of Symantec and Microsoft. 
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